Spring Security不会在拦截URL上重定向 [英] Spring security wont redirect on intercept-url
问题描述
我的spring-security.xml存在2个弹簧问题
I have 2 problems with spring my spring-security.xml
-
当我在
access="ROLE_ADMIN,ROLE_EMPLOYEE"
中担任多个角色时 我得到了例外:Caused by: java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN,ROLE_EMPLOYEE'
但是,如果我有一个角色:access="ROLE_ADMIN"它将正常工作
When I have more than one role in
access="ROLE_ADMIN,ROLE_EMPLOYEE"
I get the exception:Caused by: java.lang.IllegalArgumentException: Failed to parse expression 'ROLE_ADMIN,ROLE_EMPLOYEE'
But if I have one role:access="ROLE_ADMIN"it will work fine
如果我直接降落在/Management/main/admin上,则不会被以下规则重定向:security:form-login login-page="/Management/auth/login/",这意味着我可以在没有角色admin的情况下进入应用程序.
If I land directly on /Management/main/admin I wont be redirected by the rule: security:form-login login-page="/Management/auth/login/", meaning I can enter the application without role admin.
这是我的spring-security.xml
this is my spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:lang="http://www.springframework.org/schema/lang"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
<sec:http auto-config="true" use-expressions="true"
access-denied-page="/Management/auth/denied">
<sec:intercept-url pattern="/Management/auth/login" filters="none" access="permitAll"/>
<sec:intercept-url pattern="/Management/main/admin" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" />
<sec:intercept-url pattern="/Management/api/affiliates/**" filters="none" access="ROLE_ADMIN,ROLE_EMPLOYEE" />
<sec:form-login login-page="/Management/auth/login/"
authentication-success-handler-ref="loginAuthenticationSuccessHandler"
authentication-failure-url="/Management/auth/login?error=true"
login-processing-url="/Management/auth/j_spring_security_check"
default-target-url="/Management/auth/login?error=false" />
<sec:logout invalidate-session="true"
logout-success-url="/Management/auth/login/" logout-url="/Management/auth/logout" />
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider
user-service-ref="customUserDetailsService">
<sec:password-encoder ref="passwordEncoder" />
</sec:authentication-provider>
</sec:authentication-manager>
<bean id="loginAuthenticationSuccessHandler" class="com.affiliates.server.security.LoginAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/Management/auth/login?error=false"/>
</bean>
<bean
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"
id="passwordEncoder" />
<bean id="customUserDetailsService" class="com.affiliates.service.CustomUserDetailsService" />
</beans>
这是我的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j-myapp.properties</param-value>
</context-param>
<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/Management/*</url-pattern>
</servlet-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
</web-app>
推荐答案
您正在使用 use-expressions = true
您必须在拦截URL中使用SpEL,如下所示:
You have to use SpEL in your intercept-url like the following:
<security:http auto-config="true" use-expressions="true" access-denied-page="/krams/auth/denied" >
<security:intercept-url pattern="/krams/auth/login" access="permitAll"/>
<security:intercept-url pattern="/krams/main/admin" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/krams/main/common" access="hasRole('ROLE_USER')"/>
....
</security:http>
要查看实际操作,请访问以下教程: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html
To see this in action, visit the following tutorial: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-simple-user.html
您可能还希望查找有关本机表达式的一些信息: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-native.html
You might wanna look as well some info about native expressions: http://krams915.blogspot.com/2010/12/spring-security-3-mvc-using-native.html
这篇关于Spring Security不会在拦截URL上重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
